One detail from the assassination last month of a Hamas leader in Dubai should, at first glance, ease the minds of privacy experts. None of the hit team — widely suspected to be Israeli Mossad agents traveling under stolen identities — used newfangled biometric passports. The 11 members of the team traveling with falsified European identities, used old-fashioned, unchipped passports, according to Interpol.

Biometric passports were one of the most powerful and unobtrusive changes to international travel that the United States insisted on after Sept. 11, 2001. As a direct result of U.S. pressure, all EU governments introduced more-expensive passports after 2006 that included RFID microchips to broadcast basic personal information, including name and passport number, your photograph, your fingerprints, and (if it’s been collected) a retina scan of your eye.

Washington demanded these passports from friendly countries that maintained visa-free travel agreements with the United States. To stay in the visa-waiver program, Washington said after 2001, friendly nations would have to upgrade their passports to high-tech, microchipped “ePassports” with machine-readable data.

The new documents belonged to what Homeland Security Chief Michael Chertoff once envisioned as “a worldwide system of tripwires,” set off by personal data, “that make it easy for the vast amount of travelers to move along unimpeded but that make it dangerous and difficult for terrorists to do the same thing.”

But they upset privacy experts who argued that RFID chips radiated unsecured personal details to the world, making it easy for criminals with a simple machine to read them. The EU’s own working group FIDIS (the “Future of Identity in the Information Society” research network) said safeguards on the first biometric passports were too weak.

“By failing to implement an appropriate security architecture,” the group wrote in 2006, “European governments have effectively forced their citizens to adopt new international Machine Readable Travel Documents (MRTDs), which dramatically decrease security and privacy, and increase the risk of identity theft.”

After 2006, both America and the EU gave “second-generation” e-passports a measure ofsecurity” though whether they’re really a safe way to carry your data around will be a topic for a future column. The “Crypto Group” at Belgium’s University Catholique de Louvain, says no, and Europol argues that the supposedly secure passports are still vulnerable to counterfeiting by “determined” criminals.

But it’s significant that the team of assassins in Dubai who killed the Hamas commander, Mahmoud al-Mabhouh, used old-fashioned passports. Any group willing to send an international hit team after a man would have to qualify as “determined,” and Mossad, according to Victor Ostrovsky, a former Mossad officer interviewed recently on Australian radio, has a passport “factory” dedicated to making counterfeits. “They create various types of papers, every kind of ink,” he said. “It’s a very, very expensive research department.”

So the new ePassports are possibly too much of a headache ”for now” for such a sophisticated operation. But tests carried out by The Times of London in 2008 suggested that falsifying an ePassport wasn’t complicated at all, so there could be another reason why Mossad might have avoided using biometric documents. Namely: The databases themselves might be vulnerable.

Jerusalem hasn’t started to issue ePassports yet, and one argument used by their opponents in Israel is that an entire national database of personal details could be hacked and revealed wholesale to a government unfriendly to Israel â€” say, the United Arab Emirates. Then the border guards in that country would have a way of double-checking the identity of, say, a Mossad agent trying to enter. Then “every Israeli agent who gives his fingerprint at a biometric border control station is liable to be in danger of exposure,” according to the Israeli paper Ha’aretz.

“The fear … is not unfounded,” the paper continues. “A similar database, containing the identity details of Israeli citizens, was leaked a few years ago from the Interior Ministry and can be download today, for free.”

But Rafi Eitan, an Israeli politician and former Mossad officer, believes the agency’s intelligence talents will catch up. “By 2015 most countries will have moved over to biometric identification methods,” he told Ha’aretz. But “… this will not affect the various intelligence activities in the future, because I assess that the organizations engaging in this will find suitable ways to overcome the difficulties ”should there be any.”

There may come a time, in other words, when you’ll need the trappings of a government to do something as tricky as counterfeit a passport.

CONCORD, N.H.—A bill introduced in the New Hampshire Legislature could have serious consequences for the development and deployment of biometric technology and could also jeopardize public confidence in the technology. HB 1409, sponsored by Rep. Neal Kurk, originated over concerns of privacy, but there is concern that the broadness of the bill could negatively impact the development of biometrics as an important security tool, said Don Erickson, director of government relations for Security Industry Association.

Specifically, this bill dictates, “no government agency or private entity shall issue an identification card, other than an employee identification card, or use an identification device or system, that requires the collection or retention of an individual’s biometric data.” The legislation also restricts the disclosure use of “biometric data as a condition of doing business with, engaging in any business activity or relationship with, or obtaining services from, that agency or entity.”

The legislation would ban all biometrics, including fingerprints, palm prints, facial features, voice data recognition, iris recognition, hand geometry and retinal scans, according to the bill.

If passed, this legislation would take effect on January 1, 2011.

SIA issued a statement saying that banning nearly all the uses of biometrics is an inappropriate response to privacy concerns. “The sponsor was concerned about privacy and the protection of individual privacy” not about issues of security, said Erickson. And, he contends, biometrics are actually more secure than other technologies. “With biometrics, you don’t have a password or a key to lose, it’s biometric information so you don’t have to worry about people stealing it,” he said.

Vijay Kumar, marketing manager for Ingersoll Rand Security Technologies, Schlage biometrics, agreed that biometrics pose minimal privacy concerns. “A lot of people don’t understand biometrics and these situations are based on misperceptions,” he said. “I think people confuse it with the systems they see on TV crime shows.” The major distinction, said Kumar, is differentiating between identification and authenticating systems. “Identification compares a person to all the people in the system and matches one to a number of samples,” he said. “Authentication is a one-to-one search, where a live biometric—a hand sample for example—is presented by a person and compared to a stored biometric given by the person by consent.”

He agrees with Erickson that biometrics are actually a very secure form of identification. “Biometrics of authentication is actually a more private situation than what we had when we used numeric codes and password and those types of identities are easy to capture,” he said.

However, industry members aren’t surprised this bill was introduced. Security concerns are not to be taken lightly. In this day and age, with increasing incidents of credit card and identity theft, people have a reason to be concerned about privacy, said Erickson. “The industry has taken steps to control personal identification information and it’s in their interest to,” he said. “End users need to be sensitive to this and spend time doing their homework on exactly how the technology works and privacy guards in place.”

And while this bill is troubling for those involved with biometrics, few think it will make much more progress in New Hampshire. Erickson said the bill was recently voted down 11-6 in committee and doubts it will be reintroduced.

In the last ten days we have learnt that “persons unknown” stole the identity of British citizens and cloned modern UK passports to enter Dubai to perform an assassination. Last week, the Foreign Secretary got up in the House of Commons to say that his legal action before the Court of Appeal was to protect intelligence vital to national security given to the UK by the USA’s national security agencies.

There are obvious data protection consequences that flow from these events that are not being picked up by journalists as part of the current public discourse.

In relation to biometric passports, the official Government information states that all passports now issued contain ‘biometric’ details “which are unique to you – like your fingerprint, the iris of your eye, and your facial features”. In addition, “the chip inside the passport contains information about the holder’s face – such as the distances between eyes, nose, mouth and ears” which “can then be used to identify the passport-holder”.

Also the chip is protected in four ways:

“a ‘digital signature’, which shows that the data is genuine and which country has issued the passport

Basic Access Control, a ‘chip protocol’ that prevents the data being read without the passport holder’s knowledge

Public Key Infrastructure (PKI), a digital technique that confirms the data on the chip was written by IPS and has not been changed, and

the chips can only be read at a few centimetres’ distance from a chip reader – so they cannot be accidentally read”.

So, by implication, either “persons unknown” using the UK Passports in Dubai managed to evade some of the above security checks (including any biometric security) or airport security arrangements at a major international airport has suffered a complete failure. Which one is most culpable? It is a very important question.

For instance, if some or all the biometric features that protect the Passport have been “overcome”, where does this leave the biometric security on the ID Card? If one agency can get round the security, isn’t it rather obvious that others can do so also? Does every significant ID Card check now need a reference to personal data stored on the National Identity Register (and recorded on that infamous audit trail) as the means of making sure an ID Card is not a clone? If so, then the ID Card costs have just increased significantly.

In relation to the intelligence issue, I accept that there are immense difficulties. However, if we start from the position that intelligence is information from which one can deduced or infer a possible action, then the position becomes clearer. For example, if “X has been in contact with Y” then it might be important to put “Y” on a watch list.

However, I do not think that “X has been water-boarded” qualifies as intelligence – it is a description of what has happened to X. It might be confidential to qualify the intelligence by explaining that “intelligence from X has been gained under torture”, but there again, it is the information that is provided that is the “intelligence” and not the means by which it was extracted from the informant.

In other words, the Foreign Secretary’s claim that “The seven paragraphs contain summaries of American intelligence relating to Mr Mohamed’s case held in UK files” cannot possibly be substantiated by the facts. One cannot possibly undermine the principle of protecting intelligence sharing if the information itself does not qualify as intelligence (in this case, it relates to inhuman or degrading treatment).

Reference: In my evidence to the Joint Committee on Human Rights published in 2006, I explore national security in the context of Parliamentary scrutiny, data protection, human rights and terrorism. I explain why the UK system of scrutiny desperately needs an overhaul (http://www.amberhawk.com/policydoc.asp)

The New Hampshire legislature is considering a bill which would ban biometric data, including fingerprints, retinal scans, DNA, palm prints, facial feature patterns, handwritten signature characteristics, voice data, iris recognition, keystroke dynamics, and hand characteristics from being used in state or privately issued ID cards, except for employee ID cards

The move toward biometric IDs is accelerating, but New Hampshire wants to buck this trend. Acting out of concerns for residents’ privacy, the New Hampshire Legislature is considering a bill that would ban the use of biometrics data in identification cards. At least two trade groups oppose the legislation, saying biometrics technology has a number of security benefits.

The bill would prohibit biometrics data, including fingerprints, retinal scans, and DNA, from being used in state or privately issued ID cards, except for employee ID cards. In addition, it would ban the use of ID devices or systems that require the collection or retention of an individual’s biometric data.

SC Magazine’s Angela Moscaritolo writes that under the bill, biometric data would also include palm prints, facial feature patterns, handwritten signature characteristics, voice data, iris recognition, keystroke dynamics, and hand characteristics. “That’s the kind of information the government shouldn’t generally require to be gathered about an individual,” New Hampshire Representative Daniel Itse, who co-sponsored the bill, toldSCMagazineUS.com on Wednesday.

The bill has drawn criticism from several organizations, including the Security Industry Association (SIA), a business trade group covering the electronic and physical security market. “SIA firmly believes that the broad restrictions proposed by [the bill]… reflects a significant misunderstanding of the security features and privacy safeguards of this widely-adopted technology,” the group said in a statement. SIA encouraged a New Hampshire House committee to reject the bill and conduct a study into the merits of biometrics technology.

Moscaritolo writes that this is the only pending bill of its kind in the nation, but in the past there have been similar legislative actions taken in opposition of biometrics technology, Don Erickson, director of government relations for SIA, told SCMagazineUS.com. “We are concerned about seeing a pattern of these bills start to pop up in states, which will result in a patchwork of different laws that organizations would have to comply with,” Erickson said.

A similar bill, introduced several years ago in Pennsylvania to limit the use of biometrics, was never acted on, Erickson said.

In contrast, numerous bills have passed at the state and federal levels to authorize and implement systems that use biometrics technology for personal identification, Walter Hamilton, chairman and president of the International Biometric Industry Association (IBIA), a nonprofit trade association representing developers, manufacturers, and integrators of biometrics, told Moscaritolo. “We think it’s inappropriate to single out a technology and say, ‘Thou shall not use,’” Hamilton said. “We think there are many examples of useful applications where it protects citizens.” The use of biometrics can thwart fraud and identity theft by ensuring a person is who they claim to be, he said.

Moscaritolo notes that the bill was introduced in January in the New Hampshire HouseCommerce and Consumer Affairs Committee. It was the subject of a public hearing Tuesday and is scheduled for discussion Thursday in an executive session of the committee.

Noted security researcher Ross Anderson and colleagues have published a paper showing how “Chip-and-PIN” (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn’t stop the banks from pushing ahead with it, spending a fortune in the process.

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) — in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you’re not even looking? The banks didn’t even realise they needed to check.

(CNN) — When Annie Brown’s daughter, Isabel, was a month old, her pediatrician asked Brown and her husband to sit down because he had some bad news to tell them: Isabel carried a gene that put her at risk for cystic fibrosis.

While grateful to have the information — Isabel received further testing and she doesn’t have the disease — the Mankato, Minnesota, couple wondered how the doctor knew about Isabel’s genes in the first place. After all, they’d never consented to genetic testing.

It’s simple, the pediatrician answered: Newborn babies in the United States are routinely screened for a panel of genetic diseases. Since the testing is mandated by the government, it’s often done without the parents’ consent, according to Brad Therrell, director of theNational Newborn Screening & Genetics Resource Center.

In many states, such as Florida, where Isabel was born, babies’ DNA is stored indefinitely, according to the resource center.

Many parents don’t realize their baby’s DNA is being stored in a government lab, but sometimes when they find out, as the Browns did, they take action. Parents in Texas, and Minnesota have filed lawsuits, and these parents’ concerns are sparking a new debate about whether it’s appropriate for a baby’s genetic blueprint to be in the government’s possession.

“We were appalled when we found out,” says Brown, who’s a registered nurse. “Why do they need to store my baby’s DNA indefinitely? Something on there could affect her ability to get a job later on, or get health insurance.”

According to the state of Minnesota’s Web site, samples are kept so that tests can be repeated, if necessary, and in case the DNA is ever need to help parents identify a missing or deceased child. The samples are also used for medical research.

Art Caplan, a bioethicist at the University of Pennsylvania, says he understands why states don’t first ask permission to screen babies for genetic diseases. “It’s paternalistic, but the state has an overriding interest in protecting these babies,” he says.

However, he added that storage of DNA for long periods of time is a different matter.

“I don’t see any reason to do that kind of storage,” Caplan says. “If it’s anonymous, then I don’t care. I don’t have an issue with that. But if you keep names attached to those samples, that makes me nervous.”

DNA given to outside researchers

Genetic testing for newborns started in the 1960s with testing for diseases and conditions that, if undetected, could kill a child or cause severe problems, such as mental retardation. Since then, the screening has helped save countless newborns.

Over the years, many other tests were added to the list. Now, states mandate that newborns be tested for anywhere between 28 and 54 different conditions, and the DNA samples are stored in state labs for anywhere from three months to indefinitely, depending on the state. (To find out how long your baby’s DNA is stored, see this state-by-state list.)

Brad Therrell, who runs the federally funded genetic resource consortium, says parents don’t need to worry about the privacy of their babies’ DNA.

“The states have in place very rigid controls on those specimens,” Therrell says. “If my children’s DNA were in one of these state labs, I wouldn’t be worried a bit.”

The specimens don’t always stay in the state labs. They’re often given to outside researchers — sometimes with the baby’s name attached.

According to a study done by the state of Minnesota, more than 20 scientific papers have been published in the United States since 2000 using newborn blood samples.

The researchers do not have to have parental consent to obtain samples as long as the baby’s name is not attached, according to Amy Gaviglio, one of the authors of the Minnesota report. However, she says it’s her understanding that if a researcher wants a sample with a baby’s name attached, consent first must be obtained from the parents.

Scientists have heralded this enormous collection of DNA samples as a “gold mine” for doing research, according to Gaviglio.

“This sample population would be virtually impossible to get otherwise,” says Gaviglio, a genetic counselor for the Minnesota Department of Health. “Researchers go through a very stringent process to obtain the samples. States certainly don’t provide samples to just anyone.”

Brown says that even with these assurances, she still worries whether someone could gain access to her baby’s DNA sample with Isabel’s name attached.

“I know the government says my baby’s data will be kept private, but I’m not so sure. I feel like my trust has been taken,” she says.

Parents don’t give consent to screening

Brown says she first lost trust when she learned that Isabel had received genetic testing in the first place without consent from her or her husband.

“I don’t have a problem with the testing, but I wish they’d asked us first,” she says.

Since health insurance paid for Isabel’s genetic screening, her positive test for a cystic fibrosis gene is now on the record with her insurance company, and the Browns are concerned this could hurt her in the future.

“It’s really a black mark against her, and there’s nothing we can do to get it off there,” Brown says. “And let’s say in the future they can test for a gene for schizophrenia or manic-depression and your baby tests positive — that would be on there, too.”

Brown says if the hospital had first asked her permission to test Isabel, now 10 months old, she might have chosen to pay for it out of pocket so the results wouldn’t be known to the insurance company.

Caplan says taking DNA samples without asking permission and then storing them “veers from the norm.”

“In the military, for instance, they take and store DNA samples, but they tell you they’re doing it, and you can choose not to join if you don’t like it,” he says.

What can parents do

In some states, including Minnesota and Texas, the states are required to destroy a baby’s DNA sample if a parent requests it. Parents who want their baby’s DNA destroyed are asked to fill outthis form in Minnesota and this form in Texas.

Parents in other states have less recourse, says Therrell, who runs the genetic testing group. “You’d probably have to write a letter to the state saying, ‘Please destroy my sample,’” he says.

He adds, however, that it’s not clear whether a state would necessarily obey your wishes. “I suspect it would be very difficult to get those states to destroy your baby’s sample,” he says

Thursday (Feb. 4th) on KOLD News 13 Live at 10 p.m. “Justice In Sight”: A home invasion, a purse snatching, an armed robbery.. terrifying crimes leaving victims with only blurry details and confused facts for investigators to use in trying to crack the case. Thursday at 10 p.m., Crime Specialist Som Lisaius will have a special Live, Local, & Late Breaking demonstration that will make you a good victim or witness.
(AP) – In its search for fugitives, the FBI has begun using facial-recognition technology on millions of motorists, comparing driver’s license photos with pictures of convicts in a high-tech analysis of chin widths and nose sizes.

The project in North Carolina has already helped nab at least one suspect. Agents are eager to look for more criminals and possibly to expand the effort countrywide. But privacy advocates worry that the method allows authorities to track people who have done nothing wrong.

“Everybody’s participating, essentially, in a virtual lineup by getting a driver’s license,” said Christopher Calabrese, an attorney who focuses on privacy issues at the American Civil Liberties Union.

Earlier this year, investigators learned that a double-homicide suspect named Rodolfo Corrales had moved to North Carolina. The FBI took a 1991 booking photo from California and compared it with 30 million photos stored by the motor vehicle agency in Raleigh.

In seconds, the search returned dozens of drivers who resembled Corrales, and an FBI analyst reviewed a gallery of images before zeroing in on a man who called himself Jose Solis.

A week later, after corroborating Corrales’ identity, agents arrested him in High Point, southwest of Greensboro, where they believe he had built a new life under the assumed name. Corrales is scheduled for a preliminary hearing in Los Angeles later this month.

“Running facial recognition is not very labor-intensive at all,” analyst Michael Garcia said. “If I can probe a hundred fugitives and get one or two, that’s a home run.”

Facial-recognition software is not entirely new, but the North Carolina project is the first major step for the FBI as it considers expanding use of the technology to find fugitives nationwide.

So-called biometric information that is unique to each person also includes fingerprints and DNA. More distant possibilities include iris patterns in the eye, voices, scent and even a person’s gait.

FBI officials have organized a panel of authorities to study how best to increase use of the software. It will take at least a year to establish standards for license photos, and there’s no timetable to roll out the program nationally.

Calabrese said Americans should be concerned about how their driver’s licenses are being used.

Licenses “started as a permission to drive,” he said. “Now you need them to open a bank account. You need them to be identified everywhere. And suddenly they’re becoming the de facto law enforcement database.”

State and federal laws allow driver’s license agencies to release records for law enforcement, and local agencies have access to North Carolina’s database, too. But the FBI is not authorized to collect and store the photos. That means the facial-recognition analysis must be done at the North Carolina Division of Motor Vehicles.

“Unless the person’s a criminal, we would not have a need to have that information in the system,” said Kim Del Greco, who oversees the FBI’s biometrics division. “I think that would be a privacy concern. We’re staying away from that.”

Dan Roberts, assistant director of the FBI’s Criminal Justice Information Services Division, added: “We’re not interested in housing a bunch of photos of people who have done absolutely nothing wrong.”

Gone are the days when states made drivers’ licenses by snapping Polaroid photos and laminating them onto cards without recording copies.

Now states have quality photo machines and rules that prohibit drivers from smiling during the snapshot to improve the accuracy of computer comparisons.

North Carolina’s lab scans an image and, within 10 seconds, compares the likeness with other photos based on an algorithm of factors such as the width of a chin or the structure of cheekbones. The search returns several hundred photos ranked by the similarities.

“We’ll get some close hits, and we’ll get some hits that are right on,” said Stephen Lamm, who oversees the DMV lab.

The technology allowed the DMV to quickly highlight 28 different photos of one man who was apparently using many identities. It also identified one person who, as part of a sex change, came in with plucked eyebrows, long flowing hair and a new name – but the same radiant smile.

The system is not always right. Investigators used one DMV photo of an Associated Press reporter to search for a second DMV photo, but the system first returned dozens of other people, including a North Carolina terrorism suspect who had some similar facial features.

The images from the reporter and terror suspect scored a likeness of 72 percent, below the mid-80s that officials consider a solid hit.

Facial-recognition experts believe the technology has improved drastically since 2002, when extremely high failure rates led authorities to scrap a program planned for the entrances to the Winter Olympics in Salt Lake City.

Lamm said investigators reviewing the galleries can almost always find the right photo, using a combination of the computer and the naked eye.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, questioned whether the facial-recognition systems that were pushed after the Sept. 11 attacks are accurate or even worthwhile.

“We don’t have good photos of terrorists,” Rotenberg said. “Most of the facial-recognition systems today are built on state DMV records because that’s where the good photos are. It’s not where the terrorists are.

The concept of a National ID card has been around for quite some time, back to at least the creation of the Social Security Number (SSN), and while (SSN) is a form of identification, it is not a National ID card in the sense that is being promoted in our time. The push for a National ID card in the modern era started back in the 80′s during the Reagan administration. Reagan, being the type of man he was, knew exactly what this would lead to and flat out rejected the concept. It was brought up in the Clinton administration as well, and while opposition to it was not as strong as Reagan’s, Clinton also did not sign off on a National ID card. Unfortunately, though the times have changed, I feel we can no longer trust our Federal government to operate in our best interest; it has severely broken with the Constitution and the ideals that founded this union. After 9/11 everyone was scared, angry, wanted protection from terrorism, and in that hysteria, most people did not care what it was or how it worked. As a result we got the PATRIOT Act written two years before 9/11 that gives the government the authority, among other things, to enter your house when you’re not there and to take anything. It’s called a “sneak and peak” (and they say trust us on healthcare). The Military Commission Act (MCA) was passed that has language so vague that it could catch average citizens in the category of a “threat” to the government and warrant the same treatment our government gives terrorists. During the process of making us safer a National ID card also became law in 2005 that was tacked onto a tsunami relief and military spending bill as a national security measure meant to guard against terrorism, illegal immigration and identity theft. Being attached to the type of bill that it was guaranteed no opposition, and so it sailed right through Congress straight to the President where it became law.

I will now remind everyone at this juncture what a couple of founding fathers has to say about Liberty and Security:

“I would rather be exposed to the inconveniencies attending too much liberty than to those attending too small a degree of it.”

-Thomas Jefferson

“Those willing to sacrifice Liberty for Security will get neither and deserve neither”

-Benjamin Franklin

The issue of REAL ID and all it entails is too complex to give in this medium, but I will give a brief overview and then direct you to a few sites where you can get all the dirty details. REAL ID is not just a National ID card but much more as it is an INTERNATIONAL ID card. When REAL ID became law, DHS had a non-negotiated rule making process, and so they inserted international regulations. The International Civil Aviation Organization (ICAO), a UN agency, are the ones charged with setting the ISOs for identification programs of the various participating countries, and there are a lot that are participating. The American Association of Motor Vehicle Administrators (AAMVA) will be the entity that will see to the implementation of REAL ID. AAMVA is American in name only. As they state on their website they are an international organization. Then there are the corporations, most prominently, a company called L1-Identity Solutions. This corporation has a monopoly on identification cards (i.e. drivers licenses) like Microsoft does on computer operating systems.

The required data on these cards will not just be our physical attributes for identification purposes but our religious, political, educational, medical, financial, sexual, firearms, and biometric data will be on this card. Considering the fact that all our information will be on this card and that the state DMV databases will have to be linked and consolidated, the information will be held primarily by one corporation, and our government will be sharing it with any “nation” of the world such as Canada, England, Mexico, Australia, Russia, China, or Iran to name very few. There is no possible way for our information to remain secure. The more information or data on us that is compiled and shared, the more likely it will be stolen (130 million credit card numbers stolen). Note that one of the pieces of data that will be collected is biometric. When most people think biometric, they think fingerprints, iris scans, DNA; however, the biometric of choice is facial recognition because it can be taken without your knowledge or consent. A mathematical algorithm will be used based on your facial features to assign you a specific number. Law enforcement personnel do not need numbers to identify you, but a camera and computer surely does, and we are well on our way to being a surveillance society more than you think we are.

Abstract

Biometric identification techniques such as retinal scanning and fingerprinting have now become commonplace, but near-future improvements on these methods present troubling issues for personal privacy. For example, retinal scanning can be used to diagnose certain medical conditions, even ones for which the patient has no symptoms or has any other way of detecting the problem. If a health insurance company scans the retinas of potential clients before they purchase coverage, they could be charged higher premiums for conditions that do not present any issues. Not only is this unfair, but the ease with which these scans can be conducted—including scanning without the subject’s consent or knowledge—present disturbing privacy concerns and suggest an Orwellian future, instead controlled by Big Business rather than Big Brother.

INTRODUCTION

Imagine it is the year 2030. As you walk down your street to visit your favorite coffee shop, a camera mounted at the nearest intersection tracks your movements. Initially, you are just a set of pixels transmitted to a video screen somewhere; however, after your movement has been picked up by the camera, it uses algorithms based on general body and skull structure to pinpoint the location of your eyes. Once the camera has found your eyes, it projects an infrared beam of light into your eyes which would not be noticed because infrared light is not visible to the human eye. Using the reflection of the light from your retinas and choroids, the camera photographs the vasculature structure of your eyes and runs it against a database of known criminals, immigrants, and even people dissenting from popular opinion. If your retinal pattern matches that of a person listed in the database, the computer transmits this information to the proper authorities. All of this happens before you even step through the door of the coffee shop. This Orwellian1 future of an omnipotent Big Brother is not consistent with a free democracy subservient to the people.

However, this is not the only worrisome issue presented by this scenario—what if private companies, instead of the government, are the ones running those cameras? What if a health insurance company installs these cameras outside its offices to identify individuals and detect disorders and illnesses before they walk through the door? Retinal vascular patterns have been shown to anticipate future illnesses as well as conclusively identify several illnesses that the individual suffers from, and many of these are hereditary or genetic conditions. If the insurance company knows what you are susceptible to before you are personally aware or have been notified of, and uses this to refuse coverage or charge a higher premium for the policy you apply for, they have appropriated something extremely private of yours without consent and may use this knowledge to profit from your supposed “condition,” regardless of whether those future or current illnesses have manifested or will manifest themselves. Why should such an intrusive procedure be allowed without any concern to the privacy rights of those being examined?

DAVOS, Switzerland The biggest travel threat facing the world now is passport fraud, according to the chief of Interpol – the millions of stolen documents that could be used by terrorists or criminals to travel worldwide.

Airport body scanners, embraced by many in the aftermath of the attempted Christmas Day airplane bombing, are a misguided solution to travel threats, Interpol Secretary-General Ronald K. Noble told The Associated Press in an interview Thursday night.

“The greatest threat in the world is that last year there were 500 million, half a billion, international air arrivals worldwide where travel documents were not compared against Interpol databases,” he said on the sidelines of the World Economic Forum, where 2,500 business and political leaders are gathered in this Alpine resort.

“Right now in our database we have over 11 million stolen or lost passports,” he said. “These passports are being used, fraudulently altered and are being given to terrorists, war criminals, drug traffickers, human traffickers.”

The solution, he said, is better intelligence, and better intelligence sharing, among countries.

“You don’t know the motivation behind the person carrying the passport,” he said. If you’re a terrorist, he said, “Are you going to carry explosives that are going to be detected? No.”

Many U.S. airports use the body-scanning machines and airports in other countries are adopting them after Nigerian Umar Farouk Abdulmutallab allegedly tried to detonate explosives hidden in his underwear Dec. 25 on the Detroit-bound flight.

But Noble questioned “the amount of money and resources that go into these (body-scanning) machines.”

He cited a case two weeks ago in a Caribbean country where five people were arrested carrying European passports, but were caught after they were found to be carrying stolen passports – one stolen back in 2001. The five had “definite links to crime, organized crime, human trafficking but no definite links to terrorism,” he said, though he wouldn’t name the country.

He said U.S. authorities are recognizing the threat of passport fraud – in 2006, U.S. authorities scanned the Interpol database about 2,000 times, while last year they did so 78 million times. They came up with 4,000 people traveling on stolen or lost passports.

Intelligence experts have cast doubt on the usefulness of the so-called no-fly lists of suspects shared among airports worldwide, saying that criminals can change their names or make simple name spelling changes that render them untrackable.

“(The lists) are useful but I don’t believe they are the be-all and end-all,” Noble said, adding he was concerned about governments’ efforts to expand them.

Noble, who has expanded Interpol’s efforts to fight terrorism, cybercrime, corruption and maritime piracy in his nearly 10 years at the helm of international police agency Interpol, also had words of warning for people hoping to donate money to Haiti after its devastating earthquake.

“Be very careful,” he said, citing several cases of fraudsters preying on donors and stealing their money via fake charity Web sites.

“Whenever there’s a tragedy it seems to bring out the best in people and unfortunately the worst,” he said. He said several U.S. sites have been taken down since the earthquake after they were found to represent no known charity.

Interpol has a team helping identify victims in Haiti, a daunting task with an estimated 200,000 dead. Another daunting task will be rebuilding Haiti’s law enforcement.

So you’re at the airport, you’ve gone through the inevitable check-in and security line, when you walk through a machine you think is a metal detector, just like you probably have a number of times before. However, if you’re at one of nineteen airports across the country testing new “whole body imaging” scanners, you might be interested in knowing just what the security official on the other side of the screen is seeing if you go through one of the machines, according to CNN

.

Indeed, if you believe privacy advocates, what they are seeing on their screen might be something just shy of a peep show. Right now just six airports (San Francisco, Miami, Albuquerque, New Mexico Tulsa, Salt Lake City, and Las Vegas) are using the new whole body imaging scanners as a primary security check option, while the remainder use them as a secondary check after people fail a metal detector. In the past, the secondary option would have been a pat down.

So what are the laws, if any, on privacy at the airport and just how far can the TSA go in its security checks? Well, pretty far would be the answer, as far as past court rulings go. Airport privacy concerns are nothing new. Previously, pat downs alone generated significant cause for concern, with plenty of complaints about how offensive and invasive it is to get groped, fondled, and/or prodded as part of taking a trip. The TSA has developed policies and regulations regarding its pat-down measures, but privacy advocates point out no such policies exist yet for the whole body imaging technology.

From a constitutional standpoint, a pat down is less intrusive than a full-on strip search, obviously, but the question is really whether these machines’ images would fall neatly into one category. Of course, there’s no agreement amongst advocates either, with some calling the resulting images “fuzzy negatives”, while others are going so far as to call them “TSA porn“.

Although the Fourth Amendment protects individuals from unreasonable searches and seizures, searches at airports have been held to a lower standard due to security concerns, particularly after 9/11. The Supreme Court hasn’t specifically dealt with airport security measures, but previously noted that where “the risk to public safety is substantial and real, blanket suspicionless searches calibrated to the risk may rank as ‘reasonable’–for example, searches now routine at airports and at entrances to courts and other official buildings.”

That ruling, more than a decade ago, certainly didn’t deal with whole-body imaging, but courts take into account that changes in technology may affect whether searches are reasonable. Also potentially putting a crimp in the TSA’s plans is legislation introduced last month that would flat-out ban the machines at airports. At any rate, if legislation doesn’t resolve the issue, and the TSA does not come up with policies and regulations that nip the issue in the bud, courts may end weighing just how intrusive these images are versus their necessity for security purposes.

A new report presented at the Federal Trade Commission’s Privacy Roundtable in Berkeley, Calif., warns of threats to consumer privacy posed by new tracking technology incorporated into some digital signage.

Produced by an organization called the World Privacy Forum, the report also presents a recommended code of conduct crafted by an out-of-home advertising industry organization, the Point of Purchase Advertising Institute (POPAI), to avoid transgressions that could inspire consumer backlash.

The new report, titled “The One-Way-Mirror-Society: Privacy Implications of Digital Signage,” mentions a number of “mid-range” tracking technologies. It includes technology that allows digital signage to track heat paths (showing a consumer’s movement, for example, around a retail environment) and separate technology that tracks the consumer’s gaze, to determine what part of the sign is most interesting.

But the most controversial technology currently being used allows digital signage to scan the facial features and other physical characteristics of passers-by to determine their age, gender and ethnicity.

The WPF also produced a list of preliminary but fairly stringent recommendations from POPAI. Some of the notable suggestions include “no one-sided industry self regulation,” implying the government may need to formulate standards and regulate the industry.

The WPF points out that this recommendation isn’t actually that far-reaching, since there are already a number of state and federal laws governing marketing in public places and the kind of consumer information that can be gathered with or without consumers’ consent. In other words, there is a substantial body of legal standards already in place, such as laws prohibiting marketers from offering a special promotion only to one kind or class of consumer (e.g., a special discount available only to women).

The organization’s recommendations also include prominent disclosure by signage that tracking technology is being used; no storage of biometric or other personally identifying data without a consumer “opt-in”; and no re-purposing of footage from security cameras or tracking technologies originally employed for another purpose (like fire safety compliance).

‘Positively chilling’ says Liberty

Radical Think Tank Open Europe has this week exposed a study by the EU that could lead to the creation of a massive cross-Europe database, amassing vast amounts of personal data on every single citizen in the EU.

The scope of this project also reveals a growing governmental preference for systems capable of locking people up not for what they have done, but for what they might do.

Open Europe (OE) researcher, Stephen Booth, has been reviewing projects currently in receipt of EU funding. Last week he identified one of these - Project INDECT – as having potentially far-reaching effects for anyone living or working in Europe. The main objectives of this project, according to its own website, are:

To develop a platform for: the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence, to develop the prototype of an integrated, network-centric system supporting the operational activities of police officers.

In addition, it aims “to develop a set of techniques supporting surveillance of internet resources, analysis of the acquired information, and detection of criminal activities and threats.”

There are two controversial aspects to this research. First is the extent of data collection implied by the project scope. Second, and perhaps far more worrying, is the proposition that law enforcement agencies, in possession of sufficient data, will in future be able to model potentially criminal and anti-social behaviour and therefore focus on individuals before crimes are committed.

In this, it echoes another EU-sponsored piece of research – ADABTS – which is all about Automatic Detection of Abnormal Behaviour and Threats in crowded Spaces. According to the ADABTS prospectus, it “aims to develop models for abnormal and threat behaviours and algorithms for automatic detection of such behaviours as well as deviations from normal behaviour in surveillance data.”

The INDECT project is co-ordinated by Polish academic Professor Andrzej Dziech. Participants include several institutions from Poland – which until recently had its own issues with over-arching state surveillance – as well as the Northern Ireland Police Service.

Shami Chakrabarti, the director of human rights group Liberty, described this approach as a “sinister step” for any country, but “positively chilling” on a European scale.

Stephen Booth added: “The problem with the EU funding these types of projects is the lack of accountability. Citizens are left completely in the dark as to who has approved them and there is no way to ensure that civil liberties are being duly respected.

“The absence of any political debate about the use of these new surveillance technologies in our society is a very dangerous trend, which is especially acute at the EU level.”

However, the idea of punishing potential criminals is not just an EU notion. As El Regreported last year, the Home Office has certainly considered the use of automated profiling to check travellers at points of entry to the UK. This has been controversial, both because of the veiled racism implied by such a policy, as well as evidence provided to the Home Office that it might not actually work.

However, the Vetting Database – which is due to go live later this year – will take decisions on whether people are fit to work in millions of “regulated” positions on the basis of a scoring system, designed to “predict” likelihood to offend.

The introduction of predictive models into society appears to be carrying on apace, with very little public debate as to how desirable they are, or how the state should compensate citizens where mistakes occur. There is also a blurring of the lines between predicting a threat – in which case law enforcement officers can be asked to investigate – and simply predicting criminality and penalising an individual on the basis of something they have not yet done.

OE is interested in seeing less formal integration across Europe, and a return to more issues being resolved at the national level. Their investigation looked at funding provided under the Seventh Framework Programme (FP7). This can be accessed via the Cordis portal, and is a mechanism whereby funds controlled by the EU Commission are made available for research projects.

The existence of an FP7 project is not necessarily an indicator of EU policy in an area, but it is clear evidence of some interest in the approach being investigated.

Project INDECT launched on 1 January this year with a project budget of 14.86 million Euros. It is due to deliver the goods, including a 15-node pilot project, by the end of 2013. ®

This threat brought to you by RFID

Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the US, UK, and some 50 other countries that allow attackers to trace the movements of individuals as they enter or exit buildings.

The so-called traceability attack is not the only exploit of an e-passport that allows attackers to remotely track a given credential in real time without first knowing the cryptographic keys that protect it, the scientists from University of Birmingham said. What’s more, RFID, or radio-frequency identification, data in the passports can’t be turned off, making the threat persistent unless the holder shields the government-mandated identity document in a special pouch.

“A traceability attack does not lead to the compromise of all data on the tag, but it does pose a very real threat to the privacy of anyone that carries such a device,” the authors, Tom Chothia and Vitaliy Smirnov, wrote. “Assuming that the target carried their passport on them, an attacker could place a device in a doorway that would detect when the target entered or left a building.”

To exploit the weakness, attackers would need to observe the targeted passport as it interacted with an authorized RFID reader at a border crossing or other official location. They could then build a special device that detects the credential each time it comes into range. The scientists estimated the device could have a reach of about 20 inches.

“This would make it easy to eavesdrop on the required message from someone as they used their passport at, for instance, a customs post,” the authors wrote.

The attack works by recording the unique message sent between a particular passport and an official RFID reader and later replaying it within range of the special device. By measuring the time it takes the device to respond, attackers can determine whether the targeted passport is within range. In the case of e-passports from France, the process is even easier: electronic credentials from that country will return the error message “6A80: Incorrect parameters” if the targeted person is in range and “6300: no information given” if the person is not.

The research is only the latest to identify the risks of embedding RFID tags into passports and other identification documents. Last year, information-security expert Chris Paget demonstrated a low-cost mobile platform that surreptitiously sniffs the unique digital identifiers in US passport cards and next-generation drivers licenses. Among other things, civil liberties advocates have warned that those identifiers could be recorded at political demonstrations or other gatherings so police or private citizens could later determine whether a given individual attended.

To be sure, the practicality of traceability attacks is more limited because a targeted passport first must be observed within range of a legitimate reader. But once this hurdle is cleared – as would be relatively easy for unscrupulous government bureaucrats to do – the attack becomes a viable way to track a target.

Chothia and Smirnov of the University of Birmingham’s School of Computer Science said the security hole can be closed by standardizing error messages and “padding” response times in future e-passports. But that will do nothing to protect holders of more than 30 million passports from more than 50 countries who are vulnerable now, they said.

And that’s sure to fuel criticism of RFID-enabled identification.

“This is a great example of why e-passports are a bad idea,” Paget wrote in an email to The Register. “It’s simply too expensive to replace vulnerable documents (especially when they have a 10-year lifespan) in response to legitimate security concerns, regardless of their severity. People will continue to poke holes in e-passports; without a mechanism to fix those problems there’s a strong argument that’s we’re better off without the RFID.”

In a leaked memo, an official says the machines have been recalibrated to an “unacceptable” level meaning travellers whose faces are shown to have only a 30% (Thirty per cent) likeness to their passport photographs can pass through.

The machines, undergoing trials at Manchester airport, have apparently been questioning so many passengers’ identities that they were creating huge queues.

The technology was designed to help immigration officials spot people traveling under false passports, particularly terrorists, but the multi-million pound scheme now appears to be in jeopardy.

In the email, the official says: “Update on the calibration – the facial recognition booths are letting passengers through at 30%.

“Changes appear to have been made without any explanation [or] giving anyone a reason for the machines [creating] what is in effect a 70% error rate.

“[The fact that] the machines do not operate at 100% is unacceptable. In addition it would be interesting to know why the acceptance level has been allowed to decrease.”

Rob Jenkins, an expert in facial recognition at Glasgow University’s psychology department, said lowering the match level to 30 per cent would make the system almost worthless.

Using facial recognition software from Sydney airport in Australia set at 30 per cent, he found the machines could not tell the difference between Osama bin Laden and the actors Kevin Spacey or even the actress Winona Ryder while Gordon Brown was indistinguishable from Mel Gibson.

Announcing a trial of five of the devices at Manchester airport last August, Jacqui Smith, the Home Secretary, said they would improve security by making it more difficult for terrorists using false passports.

At the moment the technology is only being used on British and European travelers on “high risk” flights but it is planned to extend the technology to almost all non-European Union citizens by the end of 2010.

Patrick Mercer, chairman of the House of Commons subcommittee on counter-terrorism, said he would be asking the UK Borders agency about the warnings.

The Home Office said: “We can categorically confirm that the gates are making the same high level of checks on the British and European passengers using them as they were when the trials began in August last year.

“Previous tests show that they system can reliably pick out imposters and even distinguish between identical twins. An immigration officer supervises the whole process and will intervene where necessary.”

Body scanners that see through clothing have been available for several years, but their introduction has been slowed in some countries by privacy concerns. The American Civil Liberties Union for example has denounced the machines as a “virtual strip search” because they display the body’s contours on a computer screen with great clarity.

New software however can protect travellers’ privacy by producing a stylised image of the body instead of a more detailed picture.

Some manufacturers already offer privacy enhancements such as blurred faces or bodily images that look like chalk outlines.

A body scanner at Amsterdam's Schiphol airport (Keystone)

A debate has been sparked in Switzerland over installing body scanners in airports after a terrorist attempt prompted the Netherlands to roll out the machines.

The Swiss aviation authority says the scanners would be a useful security tool, but the defence minister has ruled them out.

Dutch authorities say 15 of the machines will be in use at Amsterdam’s Schiphol airport within three weeks for passengers travelling to the United States. Nigeria and Britain also plan to introduce the scanners soon.

It follows an attempt to blow up an aircraft over Detroit on Christmas Day. Nigerian terrorist Umar Farouk Abdulmutallab had boarded the Northwest Airlines plane in Amsterdam wearing the explosives under his clothes, but the device burst into flames instead of detonating.

A key European lawmaker has called for greater use of the scanners, which capture detailed images of people’s body contours and are designed to spot explosives and other non-metallic objects that a metal detector would miss.

Peter van Dalen, vice chairman of the European Parliament’s transport committee, said newer technology showed the scanners did not violate travellers’ privacy and urged the installation of the equipment across the 27-nation bloc.

In 2008 the European Parliament voted against using such machines and called for further study, allowing Schiphol to conduct a pilot test of the scanners.

In Switzerland, although airport security measures were tightened over the holiday period, opinion was divided over the merits of bringing in such scanners.

“Effective tool”

The Swiss Federal Office of Civil Aviation (FOCA) said there were no plans underway to introduce the scanners in Geneva, Zurich or Basel airports, but if the machines were approved on a European level Swiss airports should follow suit.

Spokesman Daniel Göring told Swiss radio that the scanners could be “useful and effective” as a complementary tool for existing security controls, and he backed their introduction across Europe.

However, Defence Minister Ueli Maurer was quick to dismiss the machines. “It would be unacceptable for people to be viewed completely naked,” he told television station TeleZüri.

Less drastic measures would be just as effective, he argued, such as improving counter-terrorism alert systems, strengthening collaboration between secret services and the international exchange of information.

For its part Geneva airport said it was already responding to recommended security measures and it did not foresee installing the scanners as there were no convincing arguments for them in the locations where they had already been in use.

“But if FOCA or American companies require it, we will adapt,” a spokesman said.

More privacy

Body scanners that see through clothing have been available for several years, but their introduction has been slowed in some countries by privacy concerns. The American Civil Liberties Union for example has denounced the machines as a “virtual strip search” because they display the body’s contours on a computer screen with great clarity.

New software however can protect travellers’ privacy by producing a stylised image of the body instead of a more detailed picture.

Some manufacturers already offer privacy enhancements such as blurred faces or bodily images that look like chalk outlines.

On Sunday Britain’s main airport operator BAA said it had ordered full-body scanners and would introduce them as soon as possible. BAA operates Europe’s busiest airport, Heathrow, as well as other British airports.

Travel inconveniences

Kurt Spillman, a professor in conflict research and security at the Federal Institute of Technology in Zurich, still expects body scanners to be in use in Switzerland within two to five years.

“Switzerland will take on the standards of the EU. I think body scanning, as an additional security measure for preventing terrorist attacks, will be used for flights to the US,” he told the Neue Luzerner newspaper.

He thought the extra security step would eventually become accepted by passengers, as have other measures in place since the 9/11 attacks.

“Despite all the inconveniences such as removing shoes [at the security checks] or the ban on carrying liquids in hand luggage, people continue to travel unabated around the world,” he said.

“Body scanning slows down the check-in procedure, it’s unpleasant, but there’s no stopping it. Anyone who does not want to undergo this can stay at home.”

While North America’s airports groan under the weight of another sea-change in security protocols, one word keeps popping out of the mouths of experts: Israelification.

That is, how can we make our airports more like Israel’s, which deal with far greater terror threat with far less inconvenience.

“It is mindboggling for us Israelis to look at what happens in North America, because we went through this 50 years ago,” said Rafi Sela, the president of AR Challenges, a global transportation security consultancy. He’s worked with the RCMP, the U.S. Navy Seals and airports around the world.

“Israelis, unlike Canadians and Americans, don’t take s— from anybody. When the security agency in Israel (the ISA) started to tighten security and we had to wait in line for — not for hours — but 30 or 40 minutes, all hell broke loose here. We said, ‘We’re not going to do this. You’re going to find a way that will take care of security without touching the efficiency of the airport.”

That, in a nutshell is “Israelification” – a system that protects life and limb without annoying you to death.
Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

The first layer of actual security that greets travellers at Tel Aviv’s Ben Gurion International Airport is a roadside check. All drivers are stopped and asked two questions: How are you? Where are you coming from?

“Two benign questions. The questions aren’t important. The way people act when they answer them is,” Sela said.

Officers are looking for nervousness or other signs of “distress” — behavioural profiling. Sela rejects the argument that profiling is discriminatory.

“The word ‘profiling’ is a political invention by people who don’t want to do security,” he said. “To us, it doesn’t matter if he’s black, white, young or old. It’s just his behaviour. So what kind of privacy am I really stepping on when I’m doing this?”

Once you’ve parked your car or gotten off your bus, you pass through the second and third security perimeters.
Armed guards outside the terminal are trained to observe passengers as they move toward the doors, again looking for odd behaviour. At Ben Gurion’s half-dozen entrances, another layer of security are watching. At this point, some travellers will be randomly taken aside, and their person and their luggage run through a magnometer.

“This is to see that you don’t have heavy metals on you or something that looks suspicious,” said Sela.
You are now in the terminal. As you approach your airline check-in desk, a trained interviewer takes your passport and ticket. They ask a series of questions: Who packed your luggage? Has it left your side?

“The whole time, they are looking into your eyes — which is very embarrassing. But this is one of the ways they figure out if you are suspicious or not. It takes 20, 25 seconds,” said Sela.

Lines are staggered. People are not allowed to bunch up into inviting targets for a bomber who has gotten this far.

At the check-in desk, your luggage is scanned immediately in a purpose-built area. Sela plays devil’s advocate — what if you have escaped the attention of the first four layers of security, and now try to pass a bag with a bomb in it?

“I once put this question to Jacques Duchesneau (the former head of the Canadian Air Transport Security Authority): say there is a bag with play-doh in it and two pens stuck in the play-doh. That is ‘Bombs 101′ to a screener.. I asked Ducheneau, ‘What would you do?’ And he said, ‘Evacuate the terminal.’ And I said, ‘Oh. My. God.’

“Take Pearson. Do you know how many people are in the terminal at all times? Many thousands. Let’s say I’m (doing an evacuation) without panic — which will never happen. But let’s say this is the case. How long will it take? Nobody thought about it. I said, ‘Two days.’”

A screener at Ben-Gurion has a pair of better options.
First, the screening area is surrounded by contoured, blast-proof glass that can contain the detonation of up to 100 kilos of plastic explosive. Only the few dozen people within the screening area need be removed, and only to a point a few metres away.

Second, all the screening areas contain ‘bomb boxes’. If a screener spots a suspect bag, he/she is trained to pick it up and place it in the box, which is blast proof. A bomb squad arrives shortly and wheels the box away for further investigation.

“This is a very small simple example of how we can simply stop a problem that would cripple one of your airports,” Sela said.

Five security layers down: you now finally arrive at the only one which Ben-Gurion Airport shares with Pearson — the body and hand-luggage check.

“But here it is done completely, absolutely 180 degrees differently than it is done in North America,” Sela said.
“First, it’s fast — there’s almost no line. That’s because they’re not looking for liquids, they’re not looking at your shoes. They’re not looking for everything they look for in North America. They just look at you,” said Sela.

“Even today with the heightened security in North America, they will check your items to death. But they will never look at you, at how you behave. They will never look into your eyes … and that’s how you figure out the bad guys from the good guys.”

That’s the process — six layers, four hard, two soft. The goal at Ben-Gurion is to move fliers from the parking lot to the airport lounge in a maximum of 25 minutes.
This doesn’t begin to cover the off-site security net that failed so spectacularly in targeting would-be Flight 253 bomber Umar Farouk Abdulmutallab — intelligence. In Israel, Sela said, a coordinated intelligence gathering operation produces a constantly evolving series of threat analyses and vulnerability studies.

“There is absolutely no intelligence and threat analysis done in Canada or the United States,” Sela said. “Absolutely none.”

But even without the intelligence, Sela maintains, Abdulmutallab would not have gotten past Ben Gurion Airport’s behavioural profilers.

So. Eight years after 9/11, why are we still so reactive, so un-Israelified?

Working hard to dampen his outrage, Sela first blames our leaders, and then ourselves.

“We have a saying in Hebrew that it’s much easier to look for a lost key under the light, than to look for the key where you actually lost it, because it’s dark over there. That’s exactly how (North American airport security officials) act,” Sela said. “You can easily do what we do. You don’t have to replace anything. You have to add just a little bit — technology, training.. But you have to completely change the way you go about doing airport security. And that is something that the bureaucrats have a problem with. They are very well enclosed in their own concept.”

And rather than fear, he suggests that outrage would be a far more powerful spur to provoking that change.
“Do you know why Israelis are so calm ? We have brutal terror attacks on our civilians and still, life in Israel is pretty good. The reason is that people trust their defence forces, their police, their response teams and the security agencies.

They know they’re doing a good job. You can’t say the same thing about Americans and Canadians. They don’t trust anybody,” Sela said. “But they say,… ‘ So far, so good…’ Then if something happens, all hell breaks loose and you’ve spent eight hours in an airport. Which is ridiculous. Not justifiable

“But, what can you do? Americans and Canadians are nice people and they will do anything because they were told to do so and because they don’t know any different.”

“It’s no more invasive than someone touching every part of your body” during existing patdown security procedures, added Marni Blitz of Robbinsville, N.J.

Opponents argue the machines violate personal privacy because they show images of the naked body. Advocates counter that they’re vital to safety – and would have detected the explosives sewn into the underwear of a Nigerian man who tried to blow up a flight over Detroit on Christmas Day.

The body imaging machines cost about $150,000. They emit some radiation, but experts say it’s far less than what passengers are exposed to on a normal flight.

Former Homeland Security chief Michael Chertoff told the Daily News that naysayers have delayed installation of the scanners.

He said the botched attack on Flight 253 shows that they are a needed weapon in the anti-terror arsenal.

“Privacy advocates and the ACLU have slowed or stopped the deployment of the machines with a barrage of objections,” Chertoff said in an e-mail. “The bad guys have figured out this vulnerability. Isn’t it time we deployed these machines?”

The Knesset has passed Israel’s Biometric Database Law, expected to provide the statutory basis for introduction of ‘smart’ identification documents for all Israelis.

Interior Ministry officials will be authorized to collect the Biometric data – fingerprints and facial contours – of all residents for the purpose of issuing identity cards, passports or other official documents.

As with similar identity regimes in Australia and elsewhere (eg the latest generation of Australian passports), those documents will feature a microprocessor (ie a chip similar to those used in some credit cards and perimeter access cards) that will contain data based on the individual’s fingerprints (two fingers) and facial geometry, eg a unique hash generated from an image of the person’s face rather than the image itself. Biometric and other information on the databases will be matched with registration information on national databases. That would permit an official to determine, for example, that the photo on an identity document corresponds to the bearer’s face but that the individual is using another name and therefore is engaging in an identity offence.

As yet I haven’t sighted the legislation. From media reports it appears that the government has mollified some critics through a statutory commitment to establish two discrete databases: one including the card-bearer’s name and the other featuring data from the individual’s fingerprints and the face. The databases will be established and maintained in two separate ministries and “will be linked by a code”. There seem to be no official statements about sharing data with the private sector.

The ‘splitting’ of initial plans for a central database was an addition to the draft legislation in November, promoted as a safety measure -

so that anyone managing to penetrate one data bank would have only part of the information and it would be meaningless without the information from the other data bank.

The Chair of the Knesset Science & Technology Committee claimed -

The protection provided for this data bank is among the best in the world. It is protected at a level of 11 on a scale of one to 10

… which sounds impressive but is arguably meaningless. (What’s an ’11′ when the scale ends at ’10′? The Bill’s sponsor subsequently explained that “if the databases of the Mossad, the Shin Bet and the Prime Minister’s Office are currently protected at a level of 10, then this one will be protected at a level of 11″.)

Debate about development of the new regime featured the usual claims. A government spokesperson claimed that “there are 350,000 people living in Israel with fraudulent documents including tens of thousands with forged passports” and that forgery of the ‘smart’ documents will be impossible.

One former police executive offered an exceptionalist argument, commenting that -

in a normal state that does not face the enemies we face, there is no need for such a system. But here we are in an intolerable situation, facing internal and external enemies. The ease with which current Israeli documents can be forged is an enormous problem.

[Identity documents] are so easily faked. For us, this is an existential issue. There are thousands of people walking around with fake IDs or with no IDs whatsoever. Some are criminals, and others are hostile elements. You would not believe how many suspects we have found who changed their identities to hide previous convictions. Many identities have also been stolen.

He noted that the danger of official misuse of information is present with existing databases.

Critics expressed concern that information will be leaked or misused, eg “Criminals could steal fingerprint information and use it to incriminate innocent people”. Likud Minister Michael Eitan indicated that -

Not only will the system threaten the privacy of all Israelis, but even worse, it will create an atmosphere in which everyone will feel their privacy is being invaded….

Eitan was not however planning to vote against the law. (???!!!)

Implementation of the law involves a two year trial period, during which participation in the biometric database/s will be voluntary. Three months prior to the end of trial, the government will formally re-assess the regime’s effectiveness, with the Prime Minister and Interior minister reporting to a special ministerial committee and to a Knesset committee. If the trial is deemed successful, Interior Ministry officials will be mandated to collect the biometric information without consent. The legislation allows some wriggle room: the Interior Minister will be empowered to extend the trial by an additional two years after provision of the reports, with a requirement that a ‘final decision’ must be made within four years after initiation of the databases.

Police arrest group after catching one suspect wearing a fake two-star general’s uniform

SEVEN people were sent to Ratanakkiri provincial court on Wednesday after they were found with forged government documents and fake military police uniforms, a provincial military police chief told the Post.

Tuy Sim, Ratanakkiri provincial Military Police chief, said his officials had arrested the group after one of its members was caught wearing a fake general’s uniform.

——————————————————————————–
…when he began to panic they suspected him and took them to the police station.
——————————————————————————–

“Our men had lunch with [one of the suspects] and he was wearing casual clothes, and then later in the day they saw him wearing a two-star general’s military police uniform travelling to a pagoda in a Mitsubishi car with six other people,” Tuy Sim said.

He added that upon raiding the car, police found a gun, four other uniforms and forged documents, including one with the signature of Prime Minister Hun Sen and another that was signed by Minister of Agriculture Chan Sarun.

“They asked him for his name and which unit he came from, and when he began to panic, they suspected him and took them to the police station,” he said.

Illegal logging suspected
Pen Bonnar, provincial coordinator for the rights group Adhoc, told the Post Wednesday that he welcomed the arrests because he believed the group was likely involved in illegal logging.

“I request that authorities further investigate the group, as we have found that a lot of people who have fake police uniforms and forged documents are involved in illegal logging.”